Using Composer
Composer is the dependency manager for PHP. Over SSH it reads your composer.json, resolves the libraries your project needs, and installs them into a vendor/ directory. This page covers running Composer on your hosting account.
The Core Commands
From your project directory, these three commands cover almost everything:
composer install
composer update
composer require vendor/package
- install — installs the exact versions pinned in
composer.lock. Use this on a fresh checkout to reproduce a known-good set of dependencies. - update — resolves the latest allowed versions from
composer.jsonand rewritescomposer.lock. - require — adds a new package, updating both
composer.jsonandcomposer.lock, for examplecomposer require guzzlehttp/guzzle.
Selecting the PHP Version
Composer runs under whichever PHP the shell defaults to, which may not match the version your site uses. Set your account's CLI version in the Select PHP Version tool (the CloudLinux PHP Selector) in cPanel, or call the matching ea-php binary explicitly:
php -v
ea-php82 -v
ea-php82 composer.phar install
Running Composer through the same PHP version your application targets ensures the resolved dependencies are compatible with your runtime.
php -v before installing. If it reports a different version than your site runs, prefix your Composer command with the correct ea-php binary so dependencies are resolved against the right PHP.
Raising the Memory Limit
Large dependency trees can exhaust PHP's memory limit, and Composer will stop with a fatal allowed memory size exhausted error. Give Composer an unlimited limit just for that run:
php -d memory_limit=-1 composer.phar install
php -d memory_limit=-1 composer.phar update
The -d memory_limit=-1 flag applies only to that single command — it does not change your account's PHP settings.
Where the vendor/ Directory Goes
Composer installs packages into a vendor/ directory next to your composer.json, and writes a vendor/autoload.php file you include to load them:
require __DIR__ . '/vendor/autoload.php';
vendor/ out of your public web root where possible, and never edit files inside it by hand — the next composer install or composer update will overwrite your changes. Manage dependencies only through composer.json.
Committing composer.json and composer.lock
Both files belong in version control. Commit composer.json (your declared dependencies) and composer.lock (the exact resolved versions), but add vendor/ to your .gitignore:
echo "/vendor/" >> .gitignore
git add composer.json composer.lock .gitignore
git commit -m "Add project dependencies"
On deployment you then run composer install to rebuild vendor/ from the committed lock file, guaranteeing every environment gets identical versions. See Git Version Control for setting up a repository and automatic deployment.